The R2 Standard is the leading certification for electronics repair and reuse. As the housing body for R2, SERI maintains the R2 Standard, related documentation, guidance, and facilitates its ongoing development.

SERI works with partners throughout the lifecycle of electronic products to ensure that they are managed responsibly. SERI's programs focus on education, outreach, safety, and international development.

SERI offers a variety of educational and training opportunities for recyclers, as well as opportunities for auditors and consultants. These trainings focus on implementing the R2 Standard, realizing a return on the investment in certification, discussing relevant issues or challenges related to recycling practices, and other topics.

Implementation

Data Destruction ensures that customer data is protected and destroyed. There are many methods of data destruction including sanitization, degaussing and physical destruction (R2:2013 Guidance, section 8.1). R2:2013 requires adherence to the NIST 800-88 Guidelines for Media Sanitization. Generally-accepted standards and guidelines such as NAID, ADISA, or DMS:2008 are also satisfactory.

Identification of Media and Media Containing Equipment

To conform with R2:2013 data destruction requirements, determine the different types of media containing equipment and media your organization handles and determine how employees will be trained to identify data storage devices during the receiving and sorting processes (R2:2013 Guidance, section 8.2). Data storage devices are anything with some type of storage media, such as:

CD ROMs / DVDs

Solid State Drives

Hard Drives

Floppy Disks

Data Tapes

Video Tapes

Flash Memory (USB sticks, SD cards, etc.)

Internal storage chips

Desktop / Laptop computers

DVRs (i.e. "Tivo" type devices)

Mobile phones

Servers

Tablets

Copiers and imaging devices

High-end printers

Documented Data Destruction Procedures

A Recycler is required to document methods of data destruction for each type of media containing equipment and media. Data Destruction procedures should include detailed instructions to successfully destroy the data on the particular device (R2:2013 Guidance, section 8.5). Methods of data destruction will vary by device type. For example, solid-state memory devices (such as those used in mobile devices and more modern “thin and light” laptops), require different wiping and destruction procedures than traditional spinning-disk hard drives. Additionally, data storage on phones or mobiles are physically smaller than laptop or desktop storage, meaning those devices necessitate a smaller shred size for effective destruction. Consider regularly-updated visual work instructions used at sorting stations, describing which types of devices contain data.

Data Destruction Training

Employees must be trained on Data Destruction procedures and records of employee training maintained (R2:2013 Guidance, section 8.6). Qualified personnel are required to administer all trainings and evaluate employee competency. All training procedures should be documented.

Review and validation of data destruction procedures should include: validation of the procedures, effectiveness of employee training, calibration, maintenance of equipment, and Performance of data destruction methods. Reviews should specifically include competency evaluations of employees, attempts at data recovery from sanitized devices, verification of calibration schedules, and verification of data sanitization records.

Data Destruction Security Controls

Security controls should be in effect from at the time you take possession of the data bearing media to the time the data has been destroyed. Security controls should consider physical security (locked trailers, locked bins, cages, locked rooms), monitoring (cameras, key fobs), chain of custody (transportation to facility, transportation to downstream vendor, if data is still present) and personnel qualifications (background checks). The level of security used in all of your procedures should be relevant to the most sensitive type of equipment you are processing. For example: If HIPAA material is the most sensitive material, but only accounts for 10% of a facility’s volume, all security must be designed around meeting requirements for HIPAA.

Data Destruction Process Management of Change

It is important to note that as data storage devices evolve, data destruction methods will also change and data destructions practices must be reviewed and modified. Determine how you will stay up-to-date with the newest technology and data destruction methods. Regularly assess the types of material coming into your facility, and communicate changes in the composition of your incoming recycling stream to your employees. Sort and data destruction procedures should be revised and maintained up-to-date based on assessment results.

The R2 Standard is the leading certification for electronics repair and reuse. As the housing body for R2, SERI maintains the R2 Standard, related documentation, guidance, and facilitates its ongoing development.

SERI works with partners throughout the lifecycle of electronic products to ensure that they are managed responsibly. SERI's programs focus on education, outreach, safety, and international development.

SERI offers a variety of educational and training opportunities for recyclers, as well as opportunities for auditors and consultants. These trainings focus on implementing the R2 Standard, realizing a return on the investment in certification, discussing relevant issues or challenges related to recycling practices, and other topics.